GHSA-W5C7-9QQW-6645

Vulnerability from github – Published: 2026-02-18 00:56 – Updated: 2026-02-18 00:56
VLAI?
Summary
OpenClaw inter-session prompts could be treated as direct user instructions
Details

Summary

Inter-session messages sent via sessions_send could be interpreted as direct end-user instructions because they were persisted as role: "user" without provenance metadata.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.12 (i.e. < 2026.2.13)
  • Fixed in: 2026.2.13 (patched versions >= 2026.2.13)

Impact

A delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input.

This is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust role: "user" as a sole authority signal.

Technical details

Before the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker.

As a result, downstream workers and transcript readers could not distinguish: - External user input - Internal inter-session routed input

Fix

OpenClaw now carries explicit input provenance end-to-end for routed prompts.

Key changes: - Added structured provenance model (inputProvenance) with kind values including inter_session. - sessions_send and agent-to-agent steps now set inter-session provenance when invoking target runs. - Provenance is persisted on user messages as message.provenance.kind = "inter_session" (role remains user for provider compatibility). - Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input. - Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker ([Inter-session message]) for clearer model-side disambiguation. - Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior.

Fix Commit(s)

  • 85409e401b6586f83954cb53552395d7aab04797

Workarounds

If immediate upgrade is not possible: - Disable or restrict sessions_send in affected environments. - Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic.

Credit

Reported by @anbecker.

Thanks @anbecker for reporting.

Severity ?
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T00:56:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nInter-session messages sent via `sessions_send` could be interpreted as direct end-user instructions because they were persisted as `role: \"user\"` without provenance metadata.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.12` (i.e. `\u003c 2026.2.13`)\n- Fixed in: `2026.2.13` (patched versions `\u003e= 2026.2.13`)\n\n## Impact\n\nA delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input.\n\nThis is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust `role: \"user\"` as a sole authority signal.\n\n## Technical details\n\nBefore the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker.\n\nAs a result, downstream workers and transcript readers could not distinguish:\n- External user input\n- Internal inter-session routed input\n\n## Fix\n\nOpenClaw now carries explicit input provenance end-to-end for routed prompts.\n\nKey changes:\n- Added structured provenance model (`inputProvenance`) with `kind` values including `inter_session`.\n- `sessions_send` and agent-to-agent steps now set inter-session provenance when invoking target runs.\n- Provenance is persisted on user messages as `message.provenance.kind = \"inter_session\"` (role remains `user` for provider compatibility).\n- Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input.\n- Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker (`[Inter-session message]`) for clearer model-side disambiguation.\n- Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior.\n\n## Fix Commit(s)\n\n- `85409e401b6586f83954cb53552395d7aab04797`\n\n## Workarounds\n\nIf immediate upgrade is not possible:\n- Disable or restrict `sessions_send` in affected environments.\n- Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic.\n\n## Credit\n\nReported by @anbecker.\n\nThanks @anbecker for reporting.",
  "id": "GHSA-w5c7-9qqw-6645",
  "modified": "2026-02-18T00:56:51Z",
  "published": "2026-02-18T00:56:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/85409e401b6586f83954cb53552395d7aab04797"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw inter-session prompts could be treated as direct user instructions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.